getTestName(); if (\strpos($test_name, 'SKIPPED-') !== false) { $this->markTestSkipped('Skipped due to a bug.'); } if (\strtoupper(\substr(\PHP_OS, 0, 3)) === 'WIN') { $this->markTestSkipped('Skip taint tests in Windows for now'); } $file_path = self::$src_dir_path . 'somefile.php'; $this->addFile( $file_path, $code ); $this->project_analyzer->trackTaintedInputs(); $this->analyzeFile($file_path, new Context(), false); } /** * @dataProvider providerInvalidCodeParse * * */ public function testInvalidCode(string $code, string $error_message): void { if (\strpos($this->getTestName(), 'SKIPPED-') !== false) { $this->markTestSkipped(); } if (\strtoupper(\substr(\PHP_OS, 0, 3)) === 'WIN') { $this->markTestSkipped('Skip taint tests in Windows for now'); } $this->expectException(\Psalm\Exception\CodeException::class); $this->expectExceptionMessageRegExp('/\b' . \preg_quote($error_message, '/') . '\b/'); $file_path = self::$src_dir_path . 'somefile.php'; $this->addFile( $file_path, $code ); $this->project_analyzer->trackTaintedInputs(); $this->analyzeFile($file_path, new Context(), false); } /** * @return array */ public function providerValidCodeParse(): array { return [ 'taintedInputInCreatedArrayNotEchoed' => [ ' $name, "id" => $id]; echo "

" . htmlentities($data["name"]) . "

"; echo "

" . $data["id"] . "

";' ], 'taintedInputInAssignedArrayNotEchoed' => [ '" . htmlentities($data["name"]) . ""; echo "

" . $data["id"] . "

";' ], 'taintedInputDirectlySuppressed' => [ 'exec("delete from users where user_id = " . $userId); } }' ], 'taintedInputDirectlySuppressedWithOtherUse' => [ 'exec("delete from users where user_id = " . $userId); } public function deleteUserSafer(PDOWrapper $pdo) : void { $userId = $this->getSafeId(); $pdo->exec("delete from users where user_id = " . $userId); } public function getSafeId() : string { return "5"; } } class PDOWrapper { /** * @psalm-taint-sink sql $sql */ public function exec(string $sql) : void {} }' ], 'taintedInputToParamButSafe' => [ 'deleteUser( $pdo, $this->getAppendedUserId((string) $_GET["user_id"]) ); } public function getAppendedUserId(string $user_id) : string { return "aaa" . $user_id; } public function deleteUser(PDO $pdo, string $userId) : void { $userId2 = strlen($userId); $pdo->exec("delete from users where user_id = " . $userId2); } }' ], 'ValidatedInputFromParam' => [ 'getUserId(); validateUserId($userId); $this->deleteUser($pdo, $userId); } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }' ], 'untaintedInputAfterIntCast' => [ 'getUserId(); } public function deleteUser(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $pdo->exec("delete from users where user_id = " . $userId); } }' ], 'specializedCoreFunctionCall' => [ ' [ ' [ ' [ ' [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }' ], 'taintOnPregReplaceCallRemovedInFunction' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }' ], 'taintOnStrReplaceCallRemovedInline' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { /** * @psalm-taint-escape html */ $a = str_replace("foo", "bar", $o->s); echo $a; } }' ], 'NoTaintsOnSimilarPureCall' => [ 's = $s; } } class O2 { public string $t; public function __construct() { $this->t = (string) $_GET["FOO"]; } } class V1 { public function foo() : void { $o = new O1((string) $_GET["FOO"]); echo U::escape(U::shorten($o->s)); } } class V2 { public function foo(O2 $o) : void { echo U::shorten(U::escape($o->t)); } }' ], 'taintPropertyPassingObjectWithDifferentValue' => [ 'id = $userId; } } class UserUpdater { public static function doDelete(PDO $pdo, User $user) : void { self::deleteUser($pdo, $user->name); } public static function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } } $userObj = new User((string) $_GET["user_id"]); UserUpdater::doDelete(new PDO(), $userObj);' ], 'taintPropertyWithoutPassingObject' => [ 'id = $userId; } public function setId(string $userId) : void { $this->id = $userId; } } function echoId(User $u2) : void { echo $u2->id; } $u = new User("5"); echoId($u); $u->setId($_GET["user_id"]);', ], 'specializeStaticMethod' => [ ' [ ' $_GET["name"], "b" => "foo"]; foreach ($a as $m) { echo $m["b"]; }' ], 'taintFreeNestedArrayWithOffsetAccessedExplicitly' => [ ' $_GET["name"], "b" => "foo"]; echo $a[0]["b"];', ], 'intUntainted' => [ ' [ 'x = $x; } } $a = new StringHolder("a"); $b = new StringHolder($_GET["x"]); echo $a->x;' ], 'suppressTaintedInput' => [ ' [ ' [ ' [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A { public function __construct($taint) {} } $b = new B($_GET["bar"]); echo $b->getTaint();' ], 'immutableClassTrackInputThroughMethod' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } $b = new A($_GET["bar"]); $a = new A("bar"); echo $a->getTaint();', ], 'literalStringCannotCarryTaint' => [ ' */ public function providerInvalidCodeParse(): array { return [ 'taintedInputFromMethodReturnTypeSimple' => [ 'getUserId(); } public function deleteUser(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputFromFunctionReturnType' => [ ' 'TaintedHtml - src' . DIRECTORY_SEPARATOR . 'somefile.php:6:26 - Detected tainted HTML in path: $_GET -> $_GET[\'name\'] (src/somefile.php:3:32) -> coalesce (src/somefile.php:3:32) -> getName (src/somefile.php:2:42) -> call to echo (src/somefile.php:6:26) -> echo#1', ], 'taintedInputFromExplicitTaintSource' => [ ' 'TaintedHtml', ], 'taintedInputFromExplicitTaintSourceStaticMethod' => [ ' 'TaintedHtml', ], 'taintedInputFromGetArray' => [ ' 'TaintedHtml', ], 'taintedInputFromReturnToInclude' => [ ' 'TaintedInclude', ], 'taintedInputFromReturnToEval' => [ ' 'TaintedEval', ], 'taintedInputFromReturnTypeToEcho' => [ 'getUserId(); } public function deleteUser(PDO $pdo) : void { $userId = $this->getAppendedUserId(); echo $userId; } }', 'error_message' => 'TaintedHtml', ], 'taintedInputInCreatedArrayIsEchoed' => [ ' $name]; echo "

" . $data["name"] . "

";', 'error_message' => 'TaintedHtml', ], 'testTaintedInputInAssignedArrayIsEchoed' => [ '" . $data["name"] . "";', 'error_message' => 'TaintedHtml', ], 'taintedInputDirectly' => [ 'exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputFromReturnTypeWithBranch' => [ 'getUserId(); if (rand(0, 1)) { $userId .= "aaa"; } else { $userId .= "bb"; } return $userId; } public function deleteUser(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'sinkAnnotation' => [ 'getUserId(); } public function deleteUser(PDOWrapper $pdo) : void { $userId = $this->getAppendedUserId(); $pdo->exec("delete from users where user_id = " . $userId); } } class PDOWrapper { /** * @psalm-taint-sink sql $sql */ public function exec(string $sql) : void {} }', 'error_message' => 'TaintedSql', ], 'taintedInputFromParam' => [ 'getUserId(); } public function doDelete(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $this->deleteUser($pdo, $userId); } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql - src' . DIRECTORY_SEPARATOR . 'somefile.php:17:40 - Detected tainted SQL in path: $_GET -> $_GET[\'user_id\'] (src/somefile.php:4:45) -> A::getUserId (src/somefile.php:3:55) -> concat (src/somefile.php:8:36) -> A::getAppendedUserId (src/somefile.php:7:63) -> $userId (src/somefile.php:12:29) -> call to A::deleteUser (src/somefile.php:13:53) -> $userId (src/somefile.php:16:69) -> call to PDO::exec (src/somefile.php:17:40) -> PDO::exec#1', ], 'taintedInputToParam' => [ 'deleteUser( $pdo, $this->getAppendedUserId((string) $_GET["user_id"]) ); } public function getAppendedUserId(string $user_id) : string { return "aaa" . $user_id; } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputToParamAfterAssignment' => [ 'deleteUser( $pdo, $this->getAppendedUserId((string) $_GET["user_id"]) ); } public function getAppendedUserId(string $user_id) : string { return "aaa" . $user_id; } public function deleteUser(PDO $pdo, string $userId) : void { $userId2 = $userId; $pdo->exec("delete from users where user_id = " . $userId2); } }', 'error_message' => 'TaintedSql', ], 'taintedInputToParamAlternatePath' => [ 'deleteUser( $pdo, self::doFoo(), $this->getAppendedUserId((string) $_GET["user_id"]) ); } public function getAppendedUserId(string $user_id) : string { return "aaa" . $user_id; } public static function doFoo() : string { return "hello"; } public function deleteUser(PDO $pdo, string $userId, string $userId2) : void { $pdo->exec("delete from users where user_id = " . $userId); if (rand(0, 1)) { $pdo->exec("delete from users where user_id = " . $userId2); } } }', 'error_message' => 'TaintedSql - src' . DIRECTORY_SEPARATOR . 'somefile.php:23:44 - Detected tainted SQL in path: $_GET -> $_GET[\'user_id\'] (src/somefile.php:7:67) -> call to A::getAppendedUserId (src/somefile.php:7:58) -> $user_id (src/somefile.php:11:66) -> concat (src/somefile.php:12:36) -> A::getAppendedUserId (src/somefile.php:11:78) -> call to A::deleteUser (src/somefile.php:7:33) -> $userId2 (src/somefile.php:19:85) -> call to PDO::exec (src/somefile.php:23:44) -> PDO::exec#1', ], 'taintedInParentLoader' => [ 'exec("select * from foo where bar = " . $sink); } } class AGrandChild extends AChild {} class C { public function foo(string $user_id) : void { AGrandChild::loadFull($user_id); } } (new C)->foo((string) $_GET["user_id"]);', 'error_message' => 'TaintedSql - src' . DIRECTORY_SEPARATOR . 'somefile.php:16:44 - Detected tainted SQL in path: $_GET -> $_GET[\'user_id\'] (src/somefile.php:28:43) -> call to C::foo (src/somefile.php:28:34) -> $user_id (src/somefile.php:23:52) -> call to AGrandChild::loadFull (src/somefile.php:24:51) -> AGrandChild::loadFull#1 (src/somefile.php:5:64) -> A::loadFull#1 (src/somefile.php:24:51) -> $sink (src/somefile.php:5:64) -> call to A::loadPartial (src/somefile.php:6:49) -> A::loadPartial#1 (src/somefile.php:3:76) -> AChild::loadPartial#1 (src/somefile.php:6:49) -> $sink (src/somefile.php:15:67) -> call to PDO::exec (src/somefile.php:16:44) -> PDO::exec#1', ], 'taintedInputFromProperty' => [ 'userId = (string) $_GET["user_id"]; } public function getAppendedUserId() : string { return "aaaa" . $this->userId; } public function doDelete(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $this->deleteUser($pdo, $userId); } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputFromPropertyViaMixin' => [ 'userId = (string) $_GET["user_id"]; } } /** @mixin A */ class B { private A $a; public function __construct(A $a) { $this->a = $a; } public function __get(string $name) { return $this->a->$name; } } class C { private B $b; public function __construct(B $b) { $this->b = $b; } public function getAppendedUserId() : string { return "aaaa" . $this->b->userId; } public function doDelete(PDO $pdo) : void { $userId = $this->getAppendedUserId(); $this->deleteUser($pdo, $userId); } public function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } }', 'error_message' => 'TaintedSql', ], 'taintedInputViaStaticFunction' => [ ' 'TaintedHtml', ], 'taintedInputViaPureStaticFunction' => [ ' 'TaintedHtml', ], 'untaintedInputViaStaticFunctionWithoutSafePath' => [ ' 'TaintedHtml', ], 'taintedInputFromMagicProperty' => [ ' */ private $vars = []; public function __get(string $s) : string { return $this->vars[$s]; } public function __set(string $s, string $t) { $this->vars[$s] = $t; } } function getAppendedUserId() : void { $a = new A(); $a->userId = (string) $_GET["user_id"]; echo $a->userId; }', 'error_message' => 'TaintedHtml', ], 'taintOverMixed' => [ ' 'TaintedHtml', ], 'taintStrConversion' => [ ' 'TaintedHtml', ], 'taintIntoExec' => [ ' 'TaintedShell', ], 'taintIntoExecMultipleConcat' => [ ' 'TaintedShell', ], 'taintIntoNestedArrayUnnestedSeparately' => [ ' 'TaintedShell', ], 'taintIntoArrayAndThenOutAgain' => [ ' 'TaintedShell', ], 'taintAppendedToArray' => [ ' 'TaintedShell', ], 'taintOnSubstrCall' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }', 'error_message' => 'TaintedHtml', ], 'taintOnStrReplaceCallSimple' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }', 'error_message' => 'TaintedHtml', ], 'taintOnPregReplaceCall' => [ 's = (string) $_GET["FOO"]; } } class V1 extends V { public function foo(O1 $o) : void { echo U::shorten($o->s); } }', 'error_message' => 'TaintedHtml', ], 'IndirectGetAssignment' => [ 'name = $name; } /** * @psalm-specialize-call */ public function getArg(string $method, string $type) { $arg = null; switch ($method) { case "post": if (isset($_POST[$this->name])) { $arg = $_POST[$this->name]; } break; case "get": if (isset($_GET[$this->name])) { $arg = $_GET[$this->name]; } break; } return $this->filterInput($type, $arg); } protected function filterInput(string $type, $arg) { // input is null if ($arg === null) { return null; } // set to null if sanitize clears arg if ($arg === "") { $arg = null; } // type casting if ($arg !== null) { $arg = $this->typeCastInput($type, $arg); } return $arg; } protected function typeCastInput(string $type, $arg) { if ($type === "string") { return (string) $arg; } return null; } } echo (new InputFilter("hello"))->getArg("get", "string");', 'error_message' => 'TaintedHtml', ], 'taintPropertyPassingObject' => [ 'id = $userId; } } class UserUpdater { public static function doDelete(PDO $pdo, User $user) : void { self::deleteUser($pdo, $user->id); } public static function deleteUser(PDO $pdo, string $userId) : void { $pdo->exec("delete from users where user_id = " . $userId); } } $userObj = new User((string) $_GET["user_id"]); UserUpdater::doDelete(new PDO(), $userObj);', 'error_message' => 'TaintedSql', ], 'taintPropertyPassingObjectSettingValueLater' => [ 'id = $userId; } public function setId(string $userId) : void { $this->id = $userId; } } function echoId(User $u2) : void { echo $u2->id; } $u = new User("5"); $u->setId($_GET["user_id"]); echoId($u);', 'error_message' => 'TaintedHtml', ], 'ImplodeExplode' => [ ' 'TaintedHtml', ], 'ImplodeIndirect' => [ ' 'TaintedHtml', ], 'taintThroughPregReplaceCallback' => [ ' 'TaintedHtml', ], 'taintedFunctionWithNoTypes' => [ ' 'TaintedHtml', ], 'taintedStaticCallWithNoTypes' => [ ' 'TaintedHtml', ], 'taintedInstanceCallWithNoTypes' => [ 'rawinput();', 'error_message' => 'TaintedHtml', ], 'taintStringObtainedUsingStrval' => [ ' 'TaintedHtml', ], 'taintStringObtainedUsingSprintf' => [ ' 'TaintedHtml', ], 'encapsulatedString' => [ ' 'TaintedHtml', ], 'encapsulatedToStringMagic' => [ ' 'TaintedHtml', ], 'castToStringMagic' => [ ' 'TaintedHtml', ], 'castToStringViaArgument' => [ ' 'TaintedHtml', ], 'toStringTaintInSubclass' => [ ' 'TaintedHtml', ], 'implicitToStringMagic' => [ ' 'TaintedHtml', ], 'namespacedFunction' => [ ' 'TaintedHtml', ], 'print' => [ ' 'TaintedHtml - src' . DIRECTORY_SEPARATOR . 'somefile.php:2:27 - Detected tainted HTML in path: $_GET -> $_GET[\'name\'] (src/somefile.php:2:27) -> call to print (src/somefile.php:2:27) -> print#1', ], 'unpackArgs' => [ ' 'TaintedHtml', ], 'foreachArg' => [ ' 'TaintedHtml', ], 'magicPropertyType' => [ 'params[$a]; } public function __set(string $a, $value) { $this->params[$a] = $value; } } $m = new Magic(); $m->taint = $_GET["input"]; echo $m->taint;', 'error_message' => 'TaintedHtml', ], 'taintNestedArrayWithOffsetAccessedInForeach' => [ ' $_GET["name"], "b" => "foo"]; foreach ($a as $m) { echo $m["a"]; }', 'error_message' => 'TaintedHtml', ], 'taintNestedArrayWithOffsetAccessedExplicitly' => [ ' $_GET["name"], "b" => "foo"]; echo $a[0]["a"];', 'error_message' => 'TaintedHtml', ], 'taintThroughArrayMapExplicitClosure' => [ ' 'TaintedHtml', ], 'taintThroughArrayMapExplicitTypedClosure' => [ ' 'TaintedHtml', ], 'taintThroughArrayMapExplicitArrowFunction' => [ ' trim($str), $_GET); echo $get["test"];', 'error_message' => 'TaintedHtml', ], 'taintThroughArrayMapImplicitFunctionCall' => [ ' $_GET["name"]]; $get = array_map("trim", $a); echo $get["test"];', 'error_message' => 'TaintedHtml', ], 'taintFilterVar' => [ ' "trim"]); echo $get["test"];', 'error_message' => 'TaintedHtml', ], 'taintAfterReconciledType' => [ ' 'TaintedHtml', ], 'taintExit' => [ ' 'TaintedHtml', ], 'taintSpecializedMethod' => [ 'isUnsafe();', 'error_message' => 'TaintedHtml', ], 'doTaintSpecializedInstanceProperty' => [ 'x = $x; } } $b = new StringHolder($_GET["x"]); echo $b->x;', 'error_message' => 'TaintedHtml', ], 'taintUnserialize' => [ ' 'TaintedUnserialize', ], 'taintCreateFunction' => [ ' 'TaintedEval', ], 'taintException' => [ ' 'TaintedHtml', ], 'taintError' => [ 'getTraceAsString()}\n"; }', 'error_message' => 'TaintedHtml', ], 'taintThrowable' => [ ' 'TaintedHtml', ], 'taintReturnedArray' => [ ' 'TaintedHtml', ], 'taintFlow' => [ ' return */ function some_stub(string $r): string {} $r = $_GET["untrusted"]; echo some_stub($r);', 'error_message' => 'TaintedHtml', ], 'taintFlowProxy' => [ ' 'TaintedText', ], 'taintFlowProxyAndReturn' => [ ' return */ function some_stub(string $r): string {} $r = $_GET["untrusted"]; echo some_stub($r);', 'error_message' => 'TaintedHtml', ], 'taintFlowMethodProxyAndReturn' => [ ' return */ function some_stub(string $r): string {} $r = $_GET["untrusted"]; echo some_stub($r);', 'error_message' => 'TaintedHtml', ], 'taintPopen' => [ ' 'TaintedShell', ], 'taintProcOpen' => [ ' 'TaintedShell', ], 'taintedCurlInit' => [ ' 'TaintedSSRF', ], 'taintedCurlSetOpt' => [ ' 'TaintedSSRF', ], 'taintThroughChildConstructorWithoutMethodOverride' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A {} $b = new B($_GET["bar"]); echo $b->getTaint();', 'error_message' => 'TaintedHtml', ], 'taintThroughChildConstructorCallingParentMethod' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A {} class C extends B {} $c = new C($_GET["bar"]); function foo(B $b) { echo $b->getTaint(); }', 'error_message' => 'TaintedHtml', ], 'taintThroughChildConstructorCallingGrandParentMethod' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A {} class C extends B {} $c = new C($_GET["bar"]); function foo(A $a) { echo $a->getTaint(); }', 'error_message' => 'TaintedHtml', ], 'taintThroughChildConstructorWhenMethodOverriddenWithParentConstructorCall' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } class B extends A { public function __construct($taint) { parent::__construct($taint); } } $b = new B($_GET["bar"]); echo $b->getTaint();', 'error_message' => 'TaintedHtml', ], 'taintedLdapSearch' => [ ' 'TaintedLdap', ], 'potentialTaintThroughChildClassSettingProperty' => [ 'taint; } } class B extends A { public function __construct(string $taint) { $this->taint = $taint; } } $b = new B($_GET["bar"]); echo $b->getTaint();', 'error_message' => 'TaintedHtml', ], 'immutableClassTrackInputThroughMethod' => [ 'taint = $taint; } public function getTaint() : string { return $this->taint; } } $a = new A($_GET["bar"]); echo $a->getTaint();', 'error_message' => 'TaintedHtml', ], /* // TODO: Stubs do not support this type of inference even with $this->message = $message. // Most uses of getMessage() would be with caught exceptions, so this is not representative of real code. 'taintException' => [ 'getMessage();', 'error_message' => 'TaintedHtml', ], */ ]; } }